cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2842
Views
0
Helpful
13
Replies

9120 EWC not able to use ACL

patrickroberts
Level 1
Level 1

Hi 

new deployment for a customer running 9120axi APs.

 

all setup and working with a Corp and a Guest WLAN.

 

the issue comes when I try to add a ACL to our Guest and Corp WLAN via policy the users get incorrect password and are not able to connect to the SSID.

 

as soon as I remove ACL all is ok. 

it seems not matter what ACL added (blank ACL with just permit all) the username gets the incorrect password on device when trying to connect.

 

all we are trying to do is separate the guest traffic being able to access the Corp subnet which all the network is running from on a cat9300 .?

 

version 17.6 las test has been installed on EWC.

 

L3 on switch

vlan 20 -Guest 192.168.x.x -iphelper 172.22.x.x

vlan 30 -Corp  172.40.x.x -iphelper 172.22.x.x

vlan 40 -Mgmt -native vlan 172.50.x.x

 

users using PSK (customer choice on this ) 

 

Is it a bug or would you say a limitation on a 9120 EWC ? 

13 Replies 13

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi,

How and where dis you define the ACL for the WLAN? if I were to isolate Guest traffic I would consider any of the below (Please note all EWC ap’s are in Flex connect mode)

1. Keep Guest in a different VRF at upstream switch

2. Apply an ACL in L3 to deny RFC1918 ranges with permit ip any any as the last statement. If you have internal DNS, DHCP make sure to allow them

3. If you have an upstream firewall extent the L3 SVI for Guest VLAN to the firewall. This may require changes at ur firewall connecting ports at switch(Trunk) as well.

Hi Arshad

 

Thanks for the reply...

 

Im adding in the ACL on the 9120 EWC controller and then adding it into the policy for each WLAN.

 

more info is below - i was trying to use the EWC for this as per the ACL in the documents..

 

if i have to add this to the 9330 L3 switch what is the ACL on the EWC used for ?

 

!
ip access-list extended Corp_ACL
1 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
2 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
3 permit ip 172.30.0.0 0.0.255.255 any
4 deny ip any any


ip access-list extended Guest_ACL
1 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
2 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
3 permit ip 192.168.50.0 0.0.0.255 172.30.2.1 0.0.0.255
4 deny ip any any

192.168.50.0/24 - Guest_ACL
172.23.50.0/24 - Corp_ACL
172.30.2.1 - DHCP Server on LAN side

 

error message we get when ACL is on EWC -

The controller says %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (d6a9.97ef.661a) on Interface capwap_90000004 AuditSessionID 000000000000004B10D203AA. Failure Reason: ACL Failure.

Did you add the ACL to the Flex-Profile? This is needed to get the ACL "pushed" to the AP where the filtering is applied.

Hi Karsten

 

I did try adding into the Flex profiel i setup with the vlan L2 Corp /Guest and the ACL with it.

 

for both  Corp and Guest i did - Flex-profiel - vlan- vlan name- vlan id - ACL name

 

Do you not need to add the ACL to the poilcy profile at all then ? i was working from the document

 

I will try again tomomrrow and see what logs i get back..

 

 

 

There are multiple options available, WLC also gives you the flexibility do ACL's. Where to do the filtering completely depends on your design and operational requirements, in my opinion if you are to filter packets at WLC or AP level I see that as complicating the network, I feel it is more cleaner when you do this at upstream level as this will take the unnecessary burden from the WLC or AP's. But the new WLC's and AP's are capable enough to handle moderate task. (I do not have impact analysis of enabling ACL's in WLC or AP, just my opinion)

My ACL would look like below. 

For Guest

ip access-list extended Guest_Block
permit udp 192.168.50.0 0.0.0.255 host 172.30.2.1
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.0.0.0 0.0.15.255
deny ip any 192.0.0.0 0.0.255.255
permit ip 192.168.50.0 0.0.0.255 any

It is very important to note that when applying Flex ACL's you have to select the correct direction. Ingress means traffic directed towards the client and egress means traffic towards the LAN.

 

 

Hi Arshad

 

Still not workig even if i add in a deny all IP ACL to the flex account vlan 50 (guest) all traffic still allowed...

 

its like its not even seeing the ACL on the WLAN..

 

 

Did you apply ingress or egress in Flex profile?

Hi Arshad

 

I tried both ways still the same...

 

why is there a WLAN ACL in policy profile for Guest as i can add in the acl there aswell but when i do that the users gets incorrect password ?

 

im using the below Cisco doc for ref but nothing in there about separating Guest from Corp users..

 

https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html

When you SSH into your AP (not EWC), do you see your ACLs with a "show access-list"?

Hi Karsten

 

I will try this tomorrow and let you know

 

Thanks for the suggestion..

Hi All

 

Still no joy with this see below looks like the AP isnt getting any info from the EWC ?

 

AP# sh flexconnect vlan-acl

  <cr>

AP# sh flexconnect vlan-acl

Flexconnect VLAN-ACL mapping-- ingress vlan

ACL disabled on ingress vlan

No configured vlans

 

Flexconnect VLAN-ACL mapping-- egress vlan

ACL disabled on egress vlan

No configured vlans

EWC Flex.png

At this point best option is to reach out to TAC. But I would still consider implementing the same ACL in upstream Layer3 device as all the EWC related deployments are Flex AP's.

Ameulen01
Level 1
Level 1

The guide is not very clear on this but the ACL is working but for EWC or Flex you need some extra configuration, on EWC / Flexconnect there are two ways to configure an ACL:

- On the flexconnect profile attached to the vlan

- On the wlan

 

But for both you need to configure the policy-acl also on the flexconnect profile to push the acl to the flexconnect Aps.

 

For example an Guest wlan with 192.168.10.0 subnet which you want to allow internet but not internal resources.

 

The ACL works both ways Ingress/ egress and you have to take into account also the return traffic:

 

Acl on flexconnect vlan:

 

ip access-list extended GUEST

 10 permit udp any eq bootpc any eq bootps

 11 permit udp any eq bootps any eq bootpc

 20 permit ip any 192.168.10.0 0.0.0.255

 31 deny   ip any 10.0.0.0 0.255.255.255

 32 deny   ip any 172.16.0.0 0.15.255.255

 33 deny   ip any 192.168.0.0 0.0.255.255

 40 permit ip any any log

 41 permit icmp any any

 

wireless profile flex default-flex-profile

acl-policy GUEST

vlan-name Guest

  acl GUEST

  vlan-id 10

 

the acl on the wlan:

 

wireless profile flex default-flex-profile

acl-policy GUEST

 

wireless profile policy Guest

ipv4 acl GUEST

 

You can confirm by connecting to the CLI of the flex AP with commands:

 

wireless ewc-ap ap shell username admin

show client access-lists post-auth all <Mac Address>

show flexconnect vlan-acl

Review Cisco Networking for a $25 gift card